Use AWS Roles for Authorization instead of handing over IAM Credentials

Feature Requests
1

It is a pretty common pattern for 3rd party systems which need access to your AWS account to use a role from their own AWS account to do so. Here is an example from another provider (this is the assume role policy):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXX:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "XXXXXX-XXXXX...."
                }
            }
        }
    ]
}

In this case, the provider even created a 1-click cloudformation stack that was very easy to review and apply.

Why can this be preferred compared to setting up IAM credentials?

  • Since there are no credentials, there are no potentials for credentials leaking. As long as Doppler keeps their AWS account safe, it is safe. It might be possible to add a second layer of validation using the external fields in STS (as in the example above), which could make it even safer.
  • Handling these credentials safely is a bit of a pain.
  • Lots of AWS review tools will flag individual user accounts, instead preferring roles with well defined trust relationships.

I hope this is something that can be added soon. Doppler is basically the only integration that we use which does not currently support this.

2

It’s coming later this year!

1 Like
3

Hey @DopplerMark,

Do you have any updates on this? Just found out about Doppler and this is a missing feature for us to adopt Doppler.

A lot of organizations uses multi AWS accounts with AssumeRole policies, and as Op said, it’s a pain to manage if it’s needed to create access keys for each account. (and potentially a safety issue)

Thanks!

4

I’d love to know about this too. We are Team users, but are getting ready to move to Enterprise and will need role access if/when it’s available. I am getting pushback from our cloud folks when asking for a single IAM user per account for secret sync, so this would be a bacon-saver for us.